Recently, a security specialist in Bangalore
released a video in which he demonstrated how the Internet
Banking System of ICICI Bank was vulnerable to a virus attack.

The Bank immediately moved to send an email notice to the
security consultant requesting removal of the content failing
which a legal action was threatened.

The action of the Bank opens up an important question of what is
the role of security specialists when they observe a
vulnerability which could damage the interests of hundreds of
Bank customers.

Is it not the duty of every citizen to point out the possibility
of a “Cyber Crime” and demand that a Bank should take better
security measures?

By withdrawing the article, the threat will not go away. It will
enable Banks to continue misleading the Customers about the
security environment.

The revelation of the security vulnerability in the system of
ICICI Bank is also to be considered as a notice to not only to
ICICI Bank but also all other Banks which may have similar
problems. As a part of the due diligence, all Banks now need to
conduct an internal assessment to examine the vulnerability
discussed by the consultant and examine whether their systems
are also equally vulnerable. If they find a similar hole in
their security, they need to share the information with their
customers as a necessary disclosure.

It is also necessary for Reserve Bank of India to ask all Banks
to send a report whether the respective bank is having similar
vulnerabilities.

If other Banks also exhibit similar vulnerabilities, the IS
auditors who might have audited the respective Banks and given
them a certificate of satisfactory security status need to also
take the responsibility.

I suggest RBI to call for copies of the reports submitted by
Security auditors to Banks and check if they have made any
observations or suggestions to the Banks on “Man in the Middle
Attack” and how to secure themselves against such risks.